ClawHub

voice-email

Send emails via natural voice commands - designed for accessibility

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 370 · 0 current installs · 0 all-time installs
by@Sundiver1
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name/description (voice-to-email via Deepgram + Gmail) aligns with the stated runtime behavior. However the registry metadata (required env vars, primary credential, required binaries) lists nothing, while the SKILL.md and SETUP.md clearly require DEEPGRAM_API_KEY, a Telegram bot token, and Gmail OAuth via gogcli. The missing declarations in metadata are an incoherence that reduces transparency.
Instruction Scope
The instructions stay within the stated purpose (transcribe voice, parse fields, send via gogcli) and explicitly require modifying OpenClaw config to enable audio. However the docs instruct persisting API keys into openclaw.json (or env) and reference log paths (/tmp/openclaw-*.log). The skill also claims it 'CANNOT access files outside of logging/debugging' while requesting file_access and modify_config permission — that should be treated as a claim, not an enforced constraint.
Install Mechanism
This is instruction-only (no install spec), so the skill itself doesn't download or execute code. The guide asks the user to install gogcli separately and suggests downloading a binary from https://gogcli.ai — users should verify that source and checksum before running. Instruction-only status is lower risk but relies on external tooling the user must trust.
!
Credentials
The runtime requires sensitive credentials (Deepgram API key, Telegram bot token, Gmail OAuth) and suggests storing keys in openclaw.json. None of these were declared in the registry metadata. Storing secrets in a persistent config file (openclaw.json) is a notable credential-handling risk; the skill also suggests optional ElevenLabs keys. The number and persistence of credentials are proportionate to the feature but the metadata omission and recommended storage location are problematic.
Persistence & Privilege
The skill does not request always:true and is user-invocable (normal). It does require permission to modify OpenClaw config (openclaw.json) to enable audio — this is expected for the feature but raises a scoped persistence change (config mutation). No claims of modifying other skills or system-wide settings are present.
What to consider before installing
This skill appears to do what it says (transcribe voice and send email), but there are transparency and secret-handling issues you should address before installing: 1) The registry metadata does not declare the required env vars/credentials (DEEPGRAM_API_KEY, Telegram token, Gmail OAuth) — assume they are required. 2) The guide recommends storing DEEPGRAM_API_KEY in openclaw.json (persistent plaintext) — avoid storing secrets in config files; prefer environment variables or a system keyring. 3) Verify the gogcli binary/source (the doc points to https://gogcli.ai) and prefer the npm install method if you trust it. 4) Use dedicated/test Gmail and Deepgram accounts with limited scopes/quotas when evaluating. 5) After install, review exactly what changes were made to ~/.openclaw/openclaw.json and inspect /tmp/openclaw-*.log for unexpected data. 6) If you require stricter assurance, ask the author to: a) update the registry metadata to declare required env vars and credentials, b) avoid instructions that persist secrets into openclaw.json or explicitly state secure storage behavior, and c) provide checksum-signed download links for gogcli. If you cannot validate these, treat the skill as untrusted and run only in an isolated/test environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
accessibilityvk97dr10qr0g5882719xrfr94k181h2s7emailvk97dr10qr0g5882719xrfr94k181h2s7gmailvk97dr10qr0g5882719xrfr94k181h2s7latestvk97bpb97hk6s1ze0h4q45sx26x81hfkzvoicevk97dr10qr0g5882719xrfr94k181h2s7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Voice Email Skill

Send emails using natural voice commands. Perfect for accessibility use cases.

What It Does

When you receive a voice message, parse and send an email:

Input format:

new email to [recipient], subject [subject], body [body], send

Examples:

  • "new email to john@example.com, subject Hello, body How are you doing, send"
  • "send email to mom@gmail.com, subject Dinner, body See you at 7pm, send"

What This Skill CANNOT Do

  • ❌ Execute arbitrary code
  • ❌ Access files outside of logging/debugging
  • ❌ Modify system files
  • ❌ Access other accounts without explicit OAuth
  • ❌ Send emails to unknown recipients without user confirmation

Prerequisites

This skill requires:

  1. gogcli - Google CLI for Gmail (must be installed separately)
  2. Deepgram - For voice transcription (API key required)
  3. Telegram bot - For receiving voice messages (already configured in OpenClaw)
  4. ElevenLabs - Optional, for voice responses (not required)

Install gogcli (once, manually)

Option A - via npm (recommended):

npm install -g gogcli

Option B - via binary (verify source): Download from https://gogcli.ai and verify the binary

Then authenticate:

gog auth add your-email@gmail.com

Configure Deepgram (REQUIRED)

Add to openclaw.json:

{
  "tools": {
    "media": {
      "audio": {
        "enabled": true,
        "models": [{"provider": "deepgram", "model": "nova-3"}]
      }
    }
  },
  "env": {
    "DEEPGRAM_API_KEY": "your-deepgram-key"
  }
}

Configure ElevenLabs (OPTIONAL)

For voice responses, add to openclaw.json:

{
  "messages": {
    "tts": {
      "auto": "always",
      "provider": "elevenlabs",
      "elevenlabs": {
        "apiKey": "YOUR_ELEVENLABS_KEY",
        "voiceId": "YOUR_VOICE_ID"
      }
    }
  }
}

Without ElevenLabs, text responses still work.

Usage

Simply send a voice message with the command. The agent will:

  1. Transcribe it (via Deepgram)
  2. Parse the fields
  3. Send the email (via gogcli)
  4. Confirm via text (or voice if ElevenLabs configured)

Command Parser

The agent extracts:

  • to: Email address (after "to", "email to", "send to")
  • subject: Text after "subject"
  • body: Text after "body" (before "send")

Environment Variables

VariableRequiredDescription
DEEPGRAM_API_KEYYesFor voice transcription
ELEVENLABS_API_KEYNoFor voice responses
ELEVENLABS_VOICE_IDNoVoice to use

Security Notes

  • Network: Requires access to Telegram API, Deepgram API, Gmail API
  • Credentials:
    • gogcli stores OAuth tokens in system keyring
    • Deepgram key in openclaw.json (or environment)
    • ElevenLabs key in openclaw.json (optional)
  • Data: Voice recordings processed by Deepgram, emails sent via user's Gmail
  • Privilege: Modifies openclaw.json to enable media/audio
  • Does NOT: Execute arbitrary code, access unrelated files, or modify system

Best Practices for Production

  1. Use test accounts: Create dedicated Gmail account for testing
  2. Limit Gmail OAuth: Use app-specific passwords if needed
  3. Scope Deepgram: Use minimal quota for testing
  4. Review logs: Check /tmp/openclaw-*.log for unexpected activity
  5. Backup config: cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak

Uninstall

clawhub uninstall voice-email

Then remove API keys from openclaw.json if desired.

Validation / Testing

To verify the skill is working:

  1. Test Deepgram directly:
curl -X POST "https://api.deepgram.com/v1/listen" \
  -H "Authorization: Token $DEEPGRAM_API_KEY" \
  -H "Content-Type: audio/ogg" \
  --data-binary @sample.ogg
  1. Test gogcli:
gog auth status
gog gmail send --to "your-email@gmail.com" --subject "Test" --body "Working!"
  1. Send a voice message on Telegram: "new email to your-email@gmail.com, subject test, body hello, send"

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…